diff --git a/.gitignore b/.gitignore index 7362d2e..bfa675f 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-8.1p1.tar.gz.asc /openssh-8.2p1.tar.gz /openssh-8.2p1.tar.gz.asc +/openssh-8.3p1.tar.gz +/openssh-8.3p1.tar.gz.asc diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch index 9454c50..1e12dcc 100644 --- a/openssh-6.6p1-ctr-cavstest.patch +++ b/openssh-6.6p1-ctr-cavstest.patch @@ -20,10 +20,10 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in ssh-xmss.o \ @@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o - $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS) + $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o -+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) ++ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index 5fc9b9e..b5e055a 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -62,10 +62,10 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in ssh-xmss.o \ @@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o - $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS) + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS) +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o -+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS) ++ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) diff --git a/openssh-6.7p1-kdf-cavs.patch b/openssh-6.7p1-kdf-cavs.patch index 971ac3d..40966d3 100644 --- a/openssh-6.7p1-kdf-cavs.patch +++ b/openssh-6.7p1-kdf-cavs.patch @@ -20,7 +20,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in ssh-xmss.o \ @@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o - $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) +ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS) + $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/openssh-6.7p1-ldap.patch b/openssh-6.7p1-ldap.patch index aec4794..bf0dfe6 100644 --- a/openssh-6.7p1-ldap.patch +++ b/openssh-6.7p1-ldap.patch @@ -173,7 +173,7 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o -+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS) ++ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index 024d990..98d5709 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -883,8 +883,8 @@ diff -up openssh/cipher.c.audit openssh/cipher.c - if (cc == NULL) + if (cc == NULL || cc->cipher == NULL) return; - if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) - explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx)); + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + chachapoly_free(cc->cp_ctx); diff -up openssh/cipher.h.audit openssh/cipher.h --- openssh/cipher.h.audit 2019-03-27 23:26:14.000000000 +0100 +++ openssh/cipher.h 2019-04-03 17:02:20.714886050 +0200 @@ -1738,7 +1738,7 @@ diff -up openssh/packet.c.audit openssh/packet.c state->newkeys[mode] = NULL; } /* note that both bytes and the seqnr are not reset */ -@@ -2167,6 +2183,71 @@ ssh_packet_get_output(struct ssh *ssh) +@@ -2167,6 +2183,72 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } @@ -1769,6 +1769,7 @@ diff -up openssh/packet.c.audit openssh/packet.c + + cipher_free(state->receive_context); + cipher_free(state->send_context); ++ state->send_context = state->receive_context = NULL; + + sshbuf_free(state->input); + state->input = NULL; diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 9500cc3..bb69efe 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -114,50 +114,6 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c p = g = NULL; /* belong to kex->dh now */ /* generate and send 'e', client DH public key */ -diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in ---- openssh-8.0p1/Makefile.in.fips 2019-07-23 14:55:45.396526350 +0200 -+++ openssh-8.0p1/Makefile.in 2019-07-23 14:55:45.402526411 +0200 -@@ -180,25 +180,25 @@ libssh.a: $(LIBSSH_OBJS) - $(RANLIB) $@ - - ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) -- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) -+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) - $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS) -- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS) -- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS) -- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS) -- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS) - $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a - $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) -- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) - - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) - $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h --- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200 +++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200 @@ -276,43 +232,25 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c --- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200 +++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200 -@@ -76,6 +76,8 @@ +@@ -76,6 +76,7 @@ #include #include #endif +#include -+#include #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -600,6 +602,16 @@ main(int ac, char **av) - sanitise_stdfd(); - - __progname = ssh_get_progname(av[0]); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ SSLeay_add_all_algorithms(); -+#endif -+ if (access("/etc/system-fips", F_OK) == 0) -+ if (! FIPSCHECK_verify(NULL, NULL)){ -+ if (FIPS_mode()) -+ fatal("FIPS integrity verification test failed."); -+ else -+ logit("FIPS integrity verification test failed."); -+ } - - #ifndef HAVE_SETPROCTITLE - /* Prepare for later setproctitle emulation */ @@ -614,6 +626,10 @@ main(int ac, char **av) - - seed_rng(); - + dump_client_config(&options, host); + exit(0); + } ++ + if (FIPS_mode()) { + debug("FIPS mode initialized"); + } -+ - /* - * Discard other fds that are hanging around. These can cause problem - * with backgrounded ssh processes started by ControlPersist. + + /* Expand SecurityKeyProvider if it refers to an environment variable */ + if (options.sk_provider != NULL && *options.sk_provider == '$' && diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c --- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200 +++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200 @@ -325,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st +@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st #if defined(GSSAPI) && defined(WITH_OPENSSL) if (options.gss_keyex) { @@ -333,12 +271,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c - * client to the key exchange algorithm proposal */ - orig = myproposal[PROPOSAL_KEX_ALGS]; - -- if (options.gss_server_identity) +- if (options.gss_server_identity) { - gss_host = xstrdup(options.gss_server_identity); -- else if (options.gss_trust_dns) +- } else if (options.gss_trust_dns) { - gss_host = remote_hostname(ssh); -- else +- /* Fall back to specified host if we are using proxy command +- * and can not use DNS on that socket */ +- if (strcmp(gss_host, "UNKNOWN") == 0) { +- free(gss_host); +- gss_host = xstrdup(host); +- } +- } else { - gss_host = xstrdup(host); +- } - - gss = ssh_gssapi_client_mechanisms(gss_host, - options.gss_client_identity, options.gss_kex_algorithms); @@ -360,12 +305,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c + * client to the key exchange algorithm proposal */ + orig = myproposal[PROPOSAL_KEX_ALGS]; + -+ if (options.gss_server_identity) ++ if (options.gss_server_identity) { + gss_host = xstrdup(options.gss_server_identity); -+ else if (options.gss_trust_dns) ++ } else if (options.gss_trust_dns) { + gss_host = remote_hostname(ssh); -+ else ++ /* Fall back to specified host if we are using proxy command ++ * and can not use DNS on that socket */ ++ if (strcmp(gss_host, "UNKNOWN") == 0) { ++ free(gss_host); ++ gss_host = xstrdup(host); ++ } ++ } else { + gss_host = xstrdup(host); ++ } + + gss = ssh_gssapi_client_mechanisms(gss_host, + options.gss_client_identity, options.gss_kex_algorithms); @@ -394,31 +346,19 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c #include #include #include -@@ -77,6 +78,8 @@ +@@ -77,6 +78,7 @@ #include #include #include +#include -+#include #include "openbsd-compat/openssl-compat.h" #endif -@@ -1529,6 +1532,18 @@ main(int ac, char **av) +@@ -1529,6 +1532,7 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); + OpenSSL_add_all_algorithms(); -+ if (access("/etc/system-fips", F_OK) == 0) -+ if (! FIPSCHECK_verify(NULL, NULL)) { -+ openlog(__progname, LOG_PID, LOG_AUTHPRIV); -+ if (FIPS_mode()) { -+ syslog(LOG_CRIT, "FIPS integrity verification test failed."); -+ cleanup_exit(255); -+ } -+ else -+ syslog(LOG_INFO, "FIPS integrity verification test failed."); -+ closelog(); -+ } /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; @@ -513,5 +453,5 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c fflush(stdout); - type = sshkey_type_from_name(key_types[i].key_type); if ((fd = mkstemp(prv_tmp)) == -1) { - error("Could not save your public key in %s: %s", - prv_tmp, strerror(errno)); + error("Could not save your private key in %s: %s", + prv_tmp, strerror(errno)); diff --git a/openssh-7.7p1-gssapi-new-unique.patch b/openssh-7.7p1-gssapi-new-unique.patch index 9386249..506c79a 100644 --- a/openssh-7.7p1-gssapi-new-unique.patch +++ b/openssh-7.7p1-gssapi-new-unique.patch @@ -480,7 +480,7 @@ index 6cae720e..16e55cbc 100644 + return 0; } - /* This allows GSSAPI methods to do things to the childs environment based + /* This allows GSSAPI methods to do things to the child's environment based @@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() { char *envstr; #endif @@ -574,7 +574,7 @@ index 85df6a27..480a5ead 100644 +++ b/session.c @@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) /* Allow any GSSAPI methods that we've used to alter - * the childs environment as they see fit + * the child's environment as they see fit */ - ssh_gssapi_do_child(&env, &envsize); + if (s->authctxt->krb5_set_env) diff --git a/openssh-7.7p1-redhat.patch b/openssh-7.7p1-redhat.patch index 0bf26bd..fe4200d 100644 --- a/openssh-7.7p1-redhat.patch +++ b/openssh-7.7p1-redhat.patch @@ -1,13 +1,16 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config --- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100 +++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100 -@@ -43,3 +43,7 @@ +@@ -43,3 +43,10 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h +# -+# To modify the system-wide ssh configuration, create a *.conf file under -+# /etc/ssh/ssh_config.d/ which will be automatically included below ++# This system is following system-wide crypto policy. ++# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf ++# file under /etc/ssh/ssh_config.d/ which will be automatically ++# included below. For more information, see manual page for ++# update-crypto-policies(8) and ssh_config(5). +Include /etc/ssh/ssh_config.d/*.conf diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat --- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100 @@ -65,10 +68,14 @@ diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5 diff -up openssh/sshd_config.redhat openssh/sshd_config --- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100 +++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100 -@@ -10,6 +10,10 @@ +@@ -10,6 +10,14 @@ # possible, but leave them commented. Uncommented options override the # default value. - + ++# To modify the system-wide sshd configuration, create a *.conf file under ++# /etc/ssh/sshd_config.d/ which will be automatically included below ++Include /etc/ssh/sshd_config.d/*.conf ++ +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER @@ -76,26 +83,16 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -114,3 +118,7 @@ Subsystem sftp /usr/libexec/sftp-server - # AllowTcpForwarding no - # PermitTTY no - # ForceCommand cvs server -+ -+# To modify the system-wide ssh configuration, create a *.conf file under -+# /etc/ssh/sshd_config.d/ which will be automatically included below -+Include /etc/ssh/sshd_config.d/*.conf diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat --- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100 +++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100 -@@ -0,0 +1,31 @@ -+# System-wide Crypto policy: +@@ -0,0 +1,29 @@ +# This system is following system-wide crypto policy. The changes to -+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any -+# effect here. They will be overridden by command-line options passed on -+# the server start up. -+# To opt out, uncomment a line with redefinition of CRYPTO_POLICY= -+# variable in /etc/sysconfig/sshd to overwrite the policy. -+# For more information, see manual page for update-crypto-policies(8). ++# crypto properties (Ciphers, MACs, ...) will not have any effect in ++# this or following included files. To override some configuration option, ++# write it before this block or include it before this file. ++# Please, see manual pages for update-crypto-policies(8) and sshd_config(5). ++Include /etc/crypto-policies/back-ends/opensshserver.config + +SyslogFacility AUTHPRIV + diff --git a/openssh-8.0p1-crypto-policies.patch b/openssh-8.0p1-crypto-policies.patch index 89bd369..b23599d 100644 --- a/openssh-8.0p1-crypto-policies.patch +++ b/openssh-8.0p1-crypto-policies.patch @@ -1,8 +1,15 @@ -diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 ---- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100 -+++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100 -@@ -361,15 +361,15 @@ domains. +diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5 +--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100 ++++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100 +@@ -359,17 +359,17 @@ or + .Qq *.c.example.com + domains. .It Cm CASignatureAlgorithms ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modify this default, see manual page ++.Xr update-crypto-policies 8 . ++.Pp Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). -The default is: @@ -15,15 +22,39 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 will not accept host certificates signed using algorithms other than those specified. +.Pp + .It Cm CertificateFile + Specifies a file from which the user's certificate is read. + A corresponding private key must be provided separately in order +@@ -424,20 +424,25 @@ If the option is set to + .Cm no , + the check will not be executed. + .It Cm Ciphers +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp - .It Cm CertificateFile - Specifies a file from which the user's certificate is read. - A corresponding private key must be provided separately in order -@@ -453,12 +453,10 @@ aes256-gcm@openssh.com + Specifies the ciphers allowed and their order of preference. + Multiple ciphers must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified ciphers will be appended to the default set ++character, then the specified ciphers will be appended to the built-in default set + instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified ciphers (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified ciphers will be placed at the head of the +-default set. ++built-in default set. + .Pp + The supported ciphers are: + .Bd -literal -offset indent +@@ -453,13 +458,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .Ed .Pp @@ -33,30 +64,59 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 -aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com -.Ed +-.Pp + The list of available ciphers may also be obtained using + .Qq ssh -Q cipher . + .It Cm ClearAllForwardings +@@ -812,6 +810,11 @@ command line will be passed untouched to + The default is + .Dq no . + .It Cm GSSAPIKexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available ciphers may also be obtained using - .Qq ssh -Q cipher . -@@ -824,8 +822,10 @@ gss-nistp256-sha256-, ++.Pp + The list of key exchange algorithms that are offered for GSSAPI + key exchange. Possible values are + .Bd -literal -offset 3n +@@ -824,10 +827,8 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp -The default is --.Dq gss-gex-sha1-,gss-group14-sha1- . +-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . + This option only applies to connections using GSSAPI. ++.Pp + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +@@ -1149,29 +1150,25 @@ it may be zero or more of: + and + .Cm pam . + .It Cm KexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that -@@ -1162,15 +1162,10 @@ If the specified list begins with a ++.Pp + Specifies the available KEX (Key Exchange) algorithms. + Multiple algorithms must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified methods will be appended to the default set ++character, then the specified methods will be appended to the built-in default set + instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified methods (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in default set instead of replacing them. + If the specified list begins with a .Sq ^ character, then the specified methods will be placed at the head of the - default set. +-default set. -The default is: -.Bd -literal -offset indent -curve25519-sha256,curve25519-sha256@libssh.org, @@ -66,14 +126,41 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 -diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256 -.Ed ++built-in default set. + .Pp + The list of available key exchange algorithms may also be obtained using + .Qq ssh -Q kex . +@@ -1231,37 +1228,33 @@ The default is INFO. + DEBUG and DEBUG1 are equivalent. + DEBUG2 and DEBUG3 each specify higher levels of verbose output. + .It Cm MACs +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . ++.Pp + Specifies the MAC (message authentication code) algorithms + in order of preference. + The MAC algorithm is used for data integrity protection. + Multiple algorithms must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified algorithms will be appended to the default set ++character, then the specified algorithms will be appended to the built-in default set + instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified algorithms (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified algorithms will be placed at the head of the +-default set. ++built-in default set. .Pp - The list of available key exchange algorithms may also be obtained using - .Qq ssh -Q kex . -@@ -1252,14 +1247,10 @@ The algorithms that contain + The algorithms that contain + .Qq -etm calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. .Pp @@ -85,17 +172,35 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 -umac-64@openssh.com,umac-128@openssh.com, -hmac-sha2-256,hmac-sha2-512,hmac-sha1 -.Ed +-.Pp + The list of available MAC algorithms may also be obtained using + .Qq ssh -Q mac . + .It Cm NoHostAuthenticationForLocalhost +@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas + The default is + .Cm no . + .It Cm PubkeyAcceptedKeyTypes +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available MAC algorithms may also be obtained using - .Qq ssh -Q mac . -@@ -1407,22 +1398,10 @@ If the specified list begins with a ++.Pp + Specifies the key types that will be used for public key authentication + as a comma-separated list of patterns. + If the specified list begins with a + .Sq + +-character, then the key types after it will be appended to the default ++character, then the key types after it will be appended to the built-in default + instead of replacing it. + If the specified list begins with a + .Sq - + character, then the specified key types (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in default set instead of replacing them. + If the specified list begins with a .Sq ^ character, then the specified key types will be placed at the head of the - default set. +-default set. -The default for this option is: -.Bd -literal -offset 3n -ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -112,18 +217,22 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 -ssh-ed25519,sk-ssh-ed25519@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed ++built-in default set. + .Pp + The list of available key types may also be obtained using + .Qq ssh -Q PubkeyAcceptedKeyTypes . +diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5 +--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100 ++++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100 +@@ -375,16 +375,16 @@ If the argument is + then no banner is displayed. + By default, no banner is displayed. + .It Cm CASignatureAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available key types may also be obtained using - .Qq ssh -Q PubkeyAcceptedKeyTypes . -diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 ---- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100 -+++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100 -@@ -377,14 +377,14 @@ By default, no banner is displayed. - .It Cm CASignatureAlgorithms ++.Pp Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). -The default is: @@ -135,15 +244,39 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 Certificates signed using other algorithms will not be accepted for public key or host-based authentication. +.Pp + .It Cm ChallengeResponseAuthentication + Specifies whether challenge-response authentication is allowed (e.g. via + PAM or through authentication styles supported in +@@ -446,20 +446,25 @@ The default is + indicating not to + .Xr chroot 2 . + .It Cm Ciphers +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp - .It Cm ChallengeResponseAuthentication - Specifies whether challenge-response authentication is allowed (e.g. via - PAM or through authentication styles supported in -@@ -486,12 +486,10 @@ aes256-gcm@openssh.com + Specifies the ciphers allowed. + Multiple ciphers must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified ciphers will be appended to the default set ++character, then the specified ciphers will be appended to the built-in default set + instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified ciphers (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified ciphers will be placed at the head of the +-default set. ++built-in default set. + .Pp + The supported ciphers are: + .Pp +@@ -486,13 +491,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .El .Pp @@ -153,28 +286,54 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 -aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com -.Ed -+The default is handled system-wide by -+.Xr crypto-policies 7 . -+To see the defaults and how to modify this default, see manual page -+.Xr update-crypto-policies 8 . - .Pp +-.Pp The list of available ciphers may also be obtained using .Qq ssh -Q cipher . -@@ -693,8 +691,10 @@ gss-nistp256-sha256-, - gss-curve25519-sha256- - .Ed - .Pp --The default is --.Dq gss-gex-sha1-,gss-group14-sha1- . + .It Cm ClientAliveCountMax +@@ -681,22 +679,24 @@ For this to work + .Cm GSSAPIKeyExchange + needs to be enabled in the server and also used by the client. + .It Cm GSSAPIKexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - This option only applies to protocol version 2 connections using GSSAPI. ++.Pp + The list of key exchange algorithms that are accepted by GSSAPI + key exchange. Possible values are + .Bd -literal -offset 3n +-gss-gex-sha1-, +-gss-group1-sha1-, +-gss-group14-sha1-, +-gss-group14-sha256-, +-gss-group16-sha512-, +-gss-nistp256-sha256-, ++gss-gex-sha1- ++gss-group1-sha1- ++gss-group14-sha1- ++gss-group14-sha256- ++gss-group16-sha512- ++gss-nistp256-sha256- + gss-curve25519-sha256- + .Ed +-.Pp +-The default is +-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . + This option only applies to connections using GSSAPI. ++.Pp .It Cm HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased authentication -@@ -794,22 +794,10 @@ environment variable. + as a list of comma-separated patterns. +@@ -793,25 +793,13 @@ is specified, the location of the socket + .Ev SSH_AUTH_SOCK + environment variable. .It Cm HostKeyAlgorithms ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modify this default, see manual page ++.Xr update-crypto-policies 8 . ++.Pp Specifies the host key algorithms that the server offers. -The default for this option is: @@ -193,14 +352,40 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 -ssh-ed25519,sk-ssh-ed25519@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed +-.Pp + The list of available key types may also be obtained using + .Qq ssh -Q HostKeyAlgorithms . + .It Cm IgnoreRhosts +@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi + The default is + .Cm yes . + .It Cm KexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . ++.Pp + Specifies the available KEX (Key Exchange) algorithms. + Multiple algorithms must be comma-separated. + Alternately if the specified list begins with a + .Sq + +-character, then the specified methods will be appended to the default set ++character, then the specified methods will be appended to the built-in default set + instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified methods (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified methods will be placed at the head of the +-default set. ++built-in default set. + The supported algorithms are: .Pp - The list of available key types may also be obtained using - .Qq ssh -Q HostKeyAlgorithms . -@@ -987,14 +975,10 @@ ecdh-sha2-nistp521 + .Bl -item -compact -offset indent +@@ -988,15 +981,6 @@ ecdh-sha2-nistp521 sntrup4591761x25519-sha512@tinyssh.org .El .Pp @@ -212,14 +397,41 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256 -.Ed +-.Pp + The list of available key exchange algorithms may also be obtained using + .Qq ssh -Q KexAlgorithms . + .It Cm ListenAddress +@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent. + DEBUG2 and DEBUG3 each specify higher levels of debugging output. + Logging with a DEBUG level violates the privacy of users and is not recommended. + .It Cm MACs +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . ++.Pp + Specifies the available MAC (message authentication code) algorithms. + The MAC algorithm is used for data integrity protection. + Multiple algorithms must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified algorithms will be appended to the default set ++character, then the specified algorithms will be appended to the built-in default set + instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified algorithms (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified algorithms will be placed at the head of the +-default set. ++built-in default set. .Pp - The list of available key exchange algorithms may also be obtained using - .Qq ssh -Q KexAlgorithms . -@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com + The algorithms that contain + .Qq -etm +@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com umac-128-etm@openssh.com .El .Pp @@ -231,17 +443,35 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 -umac-64@openssh.com,umac-128@openssh.com, -hmac-sha2-256,hmac-sha2-512,hmac-sha1 -.Ed +-.Pp + The list of available MAC algorithms may also be obtained using + .Qq ssh -Q mac . + .It Cm Match +@@ -1480,36 +1460,25 @@ or equivalent.) + The default is + .Cm yes . + .It Cm PubkeyAcceptedKeyTypes +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available MAC algorithms may also be obtained using - .Qq ssh -Q mac . -@@ -1492,22 +1472,10 @@ If the specified list begins with a ++.Pp + Specifies the key types that will be accepted for public key authentication + as a list of comma-separated patterns. + Alternately if the specified list begins with a + .Sq + +-character, then the specified key types will be appended to the default set ++character, then the specified key types will be appended to the built-in default set + instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified key types (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in default set instead of replacing them. + If the specified list begins with a .Sq ^ character, then the specified key types will be placed at the head of the - default set. +-default set. -The default for this option is: -.Bd -literal -offset 3n -ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -258,10 +488,7 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 -ssh-ed25519,sk-ssh-ed25519@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed -+The default is handled system-wide by -+.Xr crypto-policies 7 . -+To see the defaults and how to modify this default, see manual page -+.Xr update-crypto-policies 8 . ++built-in default set. .Pp The list of available key types may also be obtained using .Qq ssh -Q PubkeyAcceptedKeyTypes . diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index 9e7ea72..770e99e 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -964,7 +964,7 @@ index ab3a15f0..6ce56e92 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,7 +1,7 @@ - /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */ + /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -3253,7 +3253,7 @@ index 36180d07..70dd3665 100644 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -61,10 +61,30 @@ +@@ -61,10 +61,34 @@ #define SSH_GSS_OIDTYPE 0x06 @@ -3273,8 +3273,12 @@ index 36180d07..70dd3665 100644 +#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-" + +#define GSS_KEX_DEFAULT_KEX \ -+ KEX_GSS_GEX_SHA1_ID "," \ -+ KEX_GSS_GRP14_SHA1_ID ++ KEX_GSS_GRP14_SHA256_ID "," \ ++ KEX_GSS_GRP16_SHA512_ID "," \ ++ KEX_GSS_NISTP256_SHA256_ID "," \ ++ KEX_GSS_C25519_SHA256_ID "," \ ++ KEX_GSS_GRP14_SHA1_ID "," \ ++ KEX_GSS_GEX_SHA1_ID + typedef struct { char *filename; @@ -3429,7 +3433,7 @@ diff --git a/ssh_config.5 b/ssh_config.5 index 06a32d31..3f490697 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -766,10 +766,67 @@ The default is +@@ -766,10 +766,68 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is .Cm no . @@ -3492,8 +3496,9 @@ index 06a32d31..3f490697 100644 +.Ed +.Pp +The default is -+.Dq gss-gex-sha1-,gss-group14-sha1- . -+This option only applies to protocol version 2 connections using GSSAPI. ++.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, ++gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . ++This option only applies to connections using GSSAPI. .It Cm HashKnownHosts Indicates that .Xr ssh 1 @@ -3522,7 +3527,7 @@ index af00fb30..03bc87eb 100644 xxx_host = host; xxx_hostaddr = hostaddr; -@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) +@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) compat_pkalg_proposal(options.hostkeyalgorithms); } @@ -3532,12 +3537,19 @@ index af00fb30..03bc87eb 100644 + * client to the key exchange algorithm proposal */ + orig = myproposal[PROPOSAL_KEX_ALGS]; + -+ if (options.gss_server_identity) ++ if (options.gss_server_identity) { + gss_host = xstrdup(options.gss_server_identity); -+ else if (options.gss_trust_dns) ++ } else if (options.gss_trust_dns) { + gss_host = remote_hostname(ssh); -+ else ++ /* Fall back to specified host if we are using proxy command ++ * and can not use DNS on that socket */ ++ if (strcmp(gss_host, "UNKNOWN") == 0) { ++ free(gss_host); ++ gss_host = xstrdup(host); ++ } ++ } else { + gss_host = xstrdup(host); ++ } + + gss = ssh_gssapi_client_mechanisms(gss_host, + options.gss_client_identity, options.gss_kex_algorithms); @@ -3626,18 +3638,25 @@ index af00fb30..03bc87eb 100644 {"gssapi-with-mic", userauth_gssapi, userauth_gssapi_cleanup, -@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh) +@@ -716,12 +784,32 @@ userauth_gssapi(struct ssh *ssh) OM_uint32 min; int r, ok = 0; gss_OID mech = NULL; -+ char *gss_host; ++ char *gss_host = NULL; + -+ if (options.gss_server_identity) ++ if (options.gss_server_identity) { + gss_host = xstrdup(options.gss_server_identity); -+ else if (options.gss_trust_dns) ++ } else if (options.gss_trust_dns) { + gss_host = remote_hostname(ssh); -+ else ++ /* Fall back to specified host if we are using proxy command ++ * and can not use DNS on that socket */ ++ if (strcmp(gss_host, "UNKNOWN") == 0) { ++ free(gss_host); ++ gss_host = xstrdup(authctxt->host); ++ } ++ } else { + gss_host = xstrdup(authctxt->host); ++ } /* Try one GSSAPI method at a time, rather than sending them all at * once. */ @@ -3849,7 +3868,7 @@ index 70ccea44..f6b41a2f 100644 .It Cm GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. -@@ -660,6 +665,31 @@ machine's default store. +@@ -660,6 +665,32 @@ machine's default store. This facility is provided to assist with operation on multi homed machines. The default is .Cm yes . @@ -3876,8 +3895,9 @@ index 70ccea44..f6b41a2f 100644 +.Ed +.Pp +The default is -+.Dq gss-gex-sha1-,gss-group14-sha1- . -+This option only applies to protocol version 2 connections using GSSAPI. ++.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, ++gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . ++This option only applies to connections using GSSAPI. .It Cm HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased authentication as a list of comma-separated patterns. diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch index 712f703..50fd29a 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/openssh-8.0p1-pkcs11-uri.patch @@ -48,7 +48,7 @@ index e7549470..4511f82a 100644 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - ssh-pkcs11.o smult_curve25519_ref.o \ + ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \ - poly1305.o chacha.o cipher-chachapoly.o \ + poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \ ssh-ed25519.o digest-openssl.o digest-libc.o \ hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ @@ -289,6 +289,8 @@ clean: regressclean @@ -2502,7 +2502,7 @@ index a302c79c..879fe917 100644 int ret = -1; struct pkcs11_provider *p = NULL; void *handle = NULL; -@@ -1484,165 +1670,301 @@ pkcs11_register_provider(char *provider_id, char *pin, +@@ -1484,167 +1670,303 @@ pkcs11_register_provider(char *provider_id, char *pin, CK_FUNCTION_LIST *f = NULL; CK_TOKEN_INFO *token; CK_ULONG i; @@ -2722,6 +2722,9 @@ index a302c79c..879fe917 100644 + } + + provider_uri = pkcs11_uri_get(uri); ++ if (pin == NULL && uri->pin != NULL) { ++ pin = uri->pin; ++ } + nkeys = 0; + for (i = 0; i < p->module->nslots; i++) { + token = &p->module->slotinfo[i].token; @@ -2757,9 +2760,6 @@ index a302c79c..879fe917 100644 + provider_uri, (unsigned long)i, token->label, token->manufacturerID, token->model, token->serialNumber, token->flags); -+ if (pin == NULL && uri->pin != NULL) { -+ pin = uri->pin; -+ } /* - * open session, login with pin and retrieve public - * keys (if keyp is provided) @@ -2805,8 +2805,8 @@ index a302c79c..879fe917 100644 + pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri); + uri->object = label; } -+ pin = NULL; /* Will be cleaned up with URI */ } ++ pin = NULL; /* Will be cleaned up with URI */ /* now owned by caller */ *providerp = p; @@ -2830,6 +2830,8 @@ index a302c79c..879fe917 100644 } - if (handle) - dlclose(handle); + if (ret > 0) + ret = -1; return (ret); } @@ -3109,9 +3111,9 @@ index 15aee569..976844cb 100644 + } +#endif /* ENABLE_PKCS11 */ + cp = tilde_expand_filename(name, getuid()); - filename = percent_expand(cp, "d", pw->pw_dir, - "u", pw->pw_name, "l", thishost, "h", host, - "r", options.user, (char *)NULL); + filename = default_client_percent_expand(cp, + pw->pw_dir, host, options.user, pw->pw_name); + free(cp); diff --git a/ssh_config.5 b/ssh_config.5 index 06a32d31..4b2763bd 100644 --- a/ssh_config.5 diff --git a/openssh-8.2p1-visibility.patch b/openssh-8.2p1-visibility.patch index 2f0b191..89c35ef 100644 --- a/openssh-8.2p1-visibility.patch +++ b/openssh-8.2p1-visibility.patch @@ -26,7 +26,7 @@ index dca158de..afdcb1d2 100644 -int +int __attribute__((visibility("default"))) - sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, + sk_sign(uint32_t alg, const uint8_t *data, size_t datalen, const char *application, const uint8_t *key_handle, size_t key_handle_len, uint8_t flags, const char *pin, struct sk_option **options, @@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, diff --git a/openssh-8.2p1-x11-without-ipv6.patch b/openssh-8.2p1-x11-without-ipv6.patch new file mode 100644 index 0000000..18b0376 --- /dev/null +++ b/openssh-8.2p1-x11-without-ipv6.patch @@ -0,0 +1,30 @@ +diff --git a/channels.c b/channels.c +--- a/channels.c ++++ b/channels.c +@@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_ + if (ai->ai_family == AF_INET6) + sock_set_v6only(sock); + if (x11_use_localhost) + set_reuseaddr(sock); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) { + debug2("%s: bind port %d: %.100s", __func__, + port, strerror(errno)); + close(sock); ++ ++ /* do not remove successfully opened ++ * sockets if the request failed because ++ * the protocol IPv4/6 is not available ++ * (e.g. IPv6 may be disabled while being ++ * supported) ++ */ ++ if (EADDRNOTAVAIL == errno) ++ continue; ++ + for (n = 0; n < num_socks; n++) + close(socks[n]); + num_socks = 0; + break; + } + socks[num_socks++] = sock; + if (num_socks == NUM_SOCKS) + break; diff --git a/openssh-8.3p1-sshd_include.patch b/openssh-8.3p1-sshd_include.patch new file mode 100644 index 0000000..a399e6a --- /dev/null +++ b/openssh-8.3p1-sshd_include.patch @@ -0,0 +1,227 @@ +From 3caa40f40c7f97ecf46969e050e530338864033e Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 25 May 2020 15:46:51 +0200 +Subject: [PATCH 1/3] regress: Add more test cases + +--- + regress/servcfginclude.sh | 36 +++++++++++++++++++++++++++++++++++- + 1 file changed, 35 insertions(+), 1 deletion(-) + +diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh +index b25c8faa..b6a9a248 100644 +--- a/regress/servcfginclude.sh ++++ b/regress/servcfginclude.sh +@@ -146,9 +146,43 @@ Include + _EOF + + trace "disallow invalid with no argument" +-${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \ ++${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \ + -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \ + fail "sshd allowed Include with no argument" + ++# Ensure the Include before any Match block works as expected (bug #3122) ++cat > $OBJ/sshd_config.i << _EOF ++Banner /xx ++HostKey $OBJ/host.ssh-ed25519 ++Include $OBJ/sshd_config.i.2 ++Match host a ++ Banner /aaaa ++_EOF ++cat > $OBJ/sshd_config.i.2 << _EOF ++Match host a ++ Banner /aa ++_EOF ++ ++trace "Include before match blocks" ++trial a /aa "included file before match blocks is properly evaluated" ++ ++# Port in included file is correctly interpretted (bug #3169) ++cat > $OBJ/sshd_config.i << _EOF ++Include $OBJ/sshd_config.i.2 ++Port 7722 ++_EOF ++cat > $OBJ/sshd_config.i.2 << _EOF ++HostKey $OBJ/host.ssh-ed25519 ++_EOF ++ ++trace "Port after included files" ++${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \ ++ -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \ ++ fail "failed to parse Port after included files" ++_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'` ++if test "x7722" != "x$_port" ; then ++ fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port" ++fi ++ + # cleanup + rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out +-- +2.25.4 + + +From 924922fcb8f34fb4a156367de2ee33ad92a68a6a Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 25 May 2020 16:56:39 +0200 +Subject: [PATCH 2/3] Do not call process_queued_listen_addrs() for every + included file + +Fixes #3169 +--- + servconf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/servconf.c b/servconf.c +index 5bb4b1f8..78a7d87d 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -74,7 +74,7 @@ static void add_listen_addr(ServerOptions *, const char *, + const char *, int); + static void add_one_listen_addr(ServerOptions *, const char *, + const char *, int); +-void parse_server_config_depth(ServerOptions *options, const char *filename, ++static void parse_server_config_depth(ServerOptions *options, const char *filename, + struct sshbuf *conf, struct include_list *includes, + struct connection_info *connectinfo, int flags, int *activep, int depth); + +@@ -2580,7 +2580,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) + #undef M_CP_STRARRAYOPT + + #define SERVCONF_MAX_DEPTH 16 +-void ++static void + parse_server_config_depth(ServerOptions *options, const char *filename, + struct sshbuf *conf, struct include_list *includes, + struct connection_info *connectinfo, int flags, int *activep, int depth) +@@ -2606,7 +2606,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename, + if (bad_options > 0) + fatal("%s: terminating, %d bad configuration options", + filename, bad_options); +- process_queued_listen_addrs(options); + } + + void +@@ -2617,6 +2616,7 @@ parse_server_config(ServerOptions *options, const char *filename, + int active = connectinfo ? 0 : 1; + parse_server_config_depth(options, filename, conf, includes, + connectinfo, 0, &active, 0); ++ process_queued_listen_addrs(options); + } + + static const char * +-- +2.25.4 + + +From 26d970b4fb373cb7bd99286e41dd095cd1eadbd0 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 26 May 2020 16:25:24 +0200 +Subject: [PATCH 3/3] servconf: Fix parsing of Match blocks in included files + (#3122) + +--- + servconf.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/servconf.c b/servconf.c +index 78a7d87d..a8541514 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -554,6 +554,7 @@ typedef enum { + #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ + #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) + #define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */ ++#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */ + + /* Textual representation of the tokens. */ + static struct { +@@ -1265,7 +1266,7 @@ static const struct multistate multistate_tcpfwd[] = { + static int + process_server_config_line_depth(ServerOptions *options, char *line, + const char *filename, int linenum, int *activep, +- struct connection_info *connectinfo, int inc_flags, int depth, ++ struct connection_info *connectinfo, int *inc_flags, int depth, + struct include_list *includes) + { + char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p; +@@ -2012,7 +2013,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, + parse_server_config_depth(options, + item->filename, item->contents, + includes, connectinfo, +- (oactive ? 0 : SSHCFG_NEVERMATCH), ++ (*inc_flags & SSHCFG_MATCH_ONLY ++ ? SSHCFG_MATCH_ONLY : (oactive ++ ? 0 : SSHCFG_NEVERMATCH)), + activep, depth + 1); + } + found = 1; +@@ -2060,7 +2063,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, + parse_server_config_depth(options, + item->filename, item->contents, + includes, connectinfo, +- (oactive ? 0 : SSHCFG_NEVERMATCH), ++ (*inc_flags & SSHCFG_MATCH_ONLY ++ ? SSHCFG_MATCH_ONLY : (oactive ++ ? 0 : SSHCFG_NEVERMATCH)), + activep, depth + 1); + *activep = oactive; + TAILQ_INSERT_TAIL(includes, item, entry); +@@ -2078,11 +2083,14 @@ process_server_config_line_depth(ServerOptions *options, char *line, + if (cmdline) + fatal("Match directive not supported as a command-line " + "option"); +- value = match_cfg_line(&cp, linenum, connectinfo); ++ value = match_cfg_line(&cp, linenum, ++ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo)); + if (value < 0) + fatal("%s line %d: Bad Match condition", filename, + linenum); +- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; ++ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; ++ /* The MATCH_ONLY is applicable only until the first match block */ ++ *inc_flags &= ~SSHCFG_MATCH_ONLY; + break; + + case sKerberosUseKuserok: +@@ -2385,8 +2393,9 @@ process_server_config_line(ServerOptions *options, char *line, + const char *filename, int linenum, int *activep, + struct connection_info *connectinfo, struct include_list *includes) + { ++ int inc_flags = 0; + return process_server_config_line_depth(options, line, filename, +- linenum, activep, connectinfo, 0, 0, includes); ++ linenum, activep, connectinfo, &inc_flags, 0, includes); + } + + +@@ -2591,14 +2600,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename, + if (depth < 0 || depth > SERVCONF_MAX_DEPTH) + fatal("Too many recursive configuration includes"); + +- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf)); ++ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf), ++ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : "")); + + if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) + fatal("%s: sshbuf_dup_string failed", __func__); + linenum = 1; + while ((cp = strsep(&cbuf, "\n")) != NULL) { + if (process_server_config_line_depth(options, cp, +- filename, linenum++, activep, connectinfo, flags, ++ filename, linenum++, activep, connectinfo, &flags, + depth, includes) != 0) + bad_options++; + } +@@ -2615,7 +2625,7 @@ parse_server_config(ServerOptions *options, const char *filename, + { + int active = connectinfo ? 0 : 1; + parse_server_config_depth(options, filename, conf, includes, +- connectinfo, 0, &active, 0); ++ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0); + process_queued_listen_addrs(options); + } + +-- +2.25.4 + + diff --git a/openssh.spec b/openssh.spec index c72f702..f877051 100644 --- a/openssh.spec +++ b/openssh.spec @@ -65,10 +65,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 8.2p1 -%global openssh_rel 2 +%global openssh_ver 8.3p1 +%global openssh_rel 3 %global pam_ssh_agent_ver 0.10.3 -%global pam_ssh_agent_rel 9 +%global pam_ssh_agent_rel 10 Summary: An open source implementation of SSH protocol version 2 Name: openssh @@ -213,6 +213,10 @@ Patch963: openssh-8.0p1-openssl-evp.patch Patch964: openssh-8.0p1-openssl-kdf.patch # sk-dummy.so built with -fvisibility=hidden does not work Patch965: openssh-8.2p1-visibility.patch +# Do not break X11 without IPv6 +Patch966: openssh-8.2p1-x11-without-ipv6.patch +# Unbreak sshd_config include corner cases (#3122) +Patch967: openssh-8.3p1-sshd_include.patch License: BSD Requires: /sbin/nologin @@ -233,7 +237,6 @@ BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel BuildRequires: audit-libs-devel >= 2.0.5 BuildRequires: util-linux, groff BuildRequires: pam-devel -BuildRequires: fipscheck-devel >= 1.3.0 BuildRequires: openssl-devel >= 0.9.8j BuildRequires: perl-podlators BuildRequires: systemd-devel @@ -264,16 +267,14 @@ BuildRequires: gnupg2 %package clients Summary: An open source SSH client applications Requires: openssh = %{version}-%{release} -Requires: fipscheck-lib%{_isa} >= 1.3.0 -Requires: crypto-policies >= 20180306-1 +Requires: crypto-policies >= 20200610-1 %package server Summary: An open source SSH server daemon Requires: openssh = %{version}-%{release} Requires(pre): /usr/sbin/useradd Requires: pam >= 1.0.1-3 -Requires: fipscheck-lib%{_isa} >= 1.3.0 -Requires: crypto-policies >= 20180306-1 +Requires: crypto-policies >= 20200610-1 %{?systemd_requires} %if %{ldap} @@ -415,6 +416,8 @@ popd %patch963 -p1 -b .openssl-evp %patch964 -p1 -b .openssl-kdf %patch965 -p1 -b .visibility +%patch966 -p1 -b .x11-ipv6 +%patch967 -p1 -b .include %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -545,14 +548,6 @@ make popd %endif -# Add generation of HMAC checksums of the final stripped binaries -%global __spec_install_post \ - %%{?__debug_package:%%{__debug_install_post}} \ - %%{__arch_install_post} \ - %%{__os_install_post} \ - fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \ -%{nil} - %check #to run tests use "--with check" %if %{?_with_check:1}%{!?_with_check:0} @@ -572,12 +567,11 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/sysconfig/ install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh -install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd -install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf -install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/05-redhat.conf +install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/50-redhat.conf +install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/50-redhat.conf install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket @@ -644,13 +638,12 @@ getent passwd sshd >/dev/null || \ %files clients %attr(0755,root,root) %{_bindir}/ssh -%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac %attr(0644,root,root) %{_mandir}/man1/ssh.1* %attr(0755,root,root) %{_bindir}/scp %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/ -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf %attr(0644,root,root) %{_mandir}/man5/ssh_config.5* %if ! %{rescue} %attr(0755,root,root) %{_bindir}/ssh-agent @@ -673,7 +666,6 @@ getent passwd sshd >/dev/null || \ %files server %dir %attr(0711,root,root) %{_var}/empty/sshd %attr(0755,root,root) %{_sbindir}/sshd -%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* @@ -682,7 +674,7 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config %dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/ -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/05-redhat.conf +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-redhat.conf %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd %attr(0644,root,root) %{_unitdir}/sshd.service @@ -728,9 +720,32 @@ getent passwd sshd >/dev/null || \ %endif %changelog -* Thu Mar 26 2020 David Abdurachmanov - 8.2p1-2 + 0.10.3-9.0.riscv64 +* Thu Jul 23 2020 David Abdurachmanov - 8.3p1-3 + 0.10.3-10.0.riscv64 - Add support for RISC-V (riscv64) +* Wed Jun 10 2020 Jakub Jelen - 8.3p1-3 + 0.10.3-10 +- Do not lose PIN when more slots match PKCS#11 URI (#1843372) +- Update to new crypto-policies version on server (using sshd_config include) +- Move redhat configuraion files to larger number to allow simpler override +- Move sshd_config include before any other definitions (#1824913) + +* Mon Jun 01 2020 Jakub Jelen - 8.3p1-2 + 0.10.3-10 +- Fix crash on cleanup (#1842281) + +* Wed May 27 2020 Jakub Jelen - 8.3p1-1 + 0.10.3-10 +- New upstream release (#1840503) +- Unbreak corner cases of sshd_config include +- Fix order of gssapi key exchange algorithms + +* Wed Apr 08 2020 Jakub Jelen - 8.2p1-3 + 0.10.3-9 +- Simplify reference to crypto policies in configuration files +- Unbreak gssapi authentication with GSSAPITrustDNS over jump hosts +- Correctly print FIPS mode initialized in debug mode +- Enable SHA2-based GSSAPI key exchange methods (#1666781) +- Do not break X11 forwarding when IPv6 is disabled +- Remove fipscheck dependency as OpenSSH is no longer FIPS module +- Improve documentation about crypto policies defaults in manual pages + * Thu Feb 20 2020 Jakub Jelen - 8.2p1-2 + 0.10.3-9 - Build against libfido2 to unbreak internal u2f support diff --git a/sources b/sources index c951140..112375c 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (openssh-8.2p1.tar.gz) = c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a -SHA512 (openssh-8.2p1.tar.gz.asc) = e6d091289d62d3a01d5978e3c26f72d8ea6979c345fbebc215515185ea567c959f5b17e32052d752829ab4c6bc537fd977f7aa02cf0a23280da63fd9d880f303 +SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40 +SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75 SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66 diff --git a/sshd.service b/sshd.service index 8f3dbd6..336025b 100644 --- a/sshd.service +++ b/sshd.service @@ -6,10 +6,9 @@ Wants=sshd-keygen.target [Service] Type=notify -EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin EnvironmentFile=-/etc/sysconfig/sshd -ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN +ExecStart=/usr/sbin/sshd -D $OPTIONS $PERMITROOTLOGIN ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure diff --git a/sshd@.service b/sshd@.service index e4fd7f4..4a51b7b 100644 --- a/sshd@.service +++ b/sshd@.service @@ -5,8 +5,7 @@ Wants=sshd-keygen.target After=sshd-keygen.target [Service] -EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin EnvironmentFile=-/etc/sysconfig/sshd -ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN +ExecStart=-/usr/sbin/sshd -i $OPTIONS $PERMITROOTLOGIN StandardInput=socket